Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What does the `aws.cognito.signin.user.admin` scope mean in Amazon Cognito?

Tags:

amazon-web-services

oauth-2.0

amazon-cognito

Amazon Cognito has a number of system-reserved scopes:

  • openid
  • email
  • phone
  • profile
  • aws.cognito.signin.user.admin

But doesn't document what they give access to.

The first 3 are fairly self-explanatory. I would expect profile to mean the user profile.

I've found by trial-and-error that I need aws.cognito.signin.user.admin to use the Amazon Cognito Get User API call. I would have expected this to be profile instead, but OK, fine.

What I'm concerned about is what else aws.cognito.signin.user.admin might do. If I let 3rd party clients request this scope, what am I giving them access to?

like image 575
GlennS Avatar asked Nov 05 '18 05:11

GlennS

People also ask

What are the two main components of Amazon Cognito?

The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. You can use identity pools and user pools separately or together.

What are allowed OAuth scopes?

Allowed OAuth ScopesThe email scope grants access to the email and email_verified claims. This scope can only be requested with the openid scope. The openid scope returns all user attributes in the ID token that are readable by the client.

How do you authenticate on Amazon Cognito?

Configure the external provider in the Amazon Cognito console. Choose Manage Identity Pools from the Amazon Cognito console home page : Choose the name of the identity pool where you want to enable Login with Amazon as an external provider. The Dashboard page for your identity pool appears.

What is the main difference between Cognito user pool and Cognito identity pool?

With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP). Identity pools are for authorization (access control). You can use identity pools to create unique identities for users and give them access to other AWS services.

1 Answers

The aws.cognito.signin.user.admin scope gives you access to all the User Pool APIs that can be accessed using access tokens alone (full documentation here).

Note that this doesn't mean that the user would have arbitrary access to all the AWS API (like an IAM role might), but that if the request syntax for that API call includes "AccessToken": "string", then an access token granted using aws.cognito.signin.user.admin will be able to call it.

As a rule, the Cognito UserPools API's (and it's only Cognito UserPool APIs) that authorise like this are ones that allow you to modify something on your own UserPools profile (i.e. do not start with Admin and affect a single profile):

At a glance through the API, these actions are (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_Operations.html):

  • AssociateSoftwareToken
  • ChangePassword
  • ConfirmDevice
  • DeleteUser
  • DeleteUserAttributes
  • ForgetDevice
  • GetDevice
  • GetUser
  • GetUserAttributeVerificationCode
  • GlobalSignOut
  • ListDevices
  • SetUserMFAPreference
  • SetUserSettings
  • UpdateDeviceStatus
  • UpdateUserAttributes
  • VerifySoftwareToken
  • VerifyUserAttribute
like image 110
thomasmichaelwallace Avatar answered Sep 21 '22 00:09

thomasmichaelwallace
Sign in to Comment

Related questions

How to remove stage from URLs for AWS Lambda functions + Serverless framework?
Cloudformation Cognito - how to setup App Client Settings, Domain, and Federated Identities via SAM template
CloudFormation is waiting for NetworkInterfaces associated with the Lambda Function to be cleaned up
Docker-compose with django could not translate host name "db" to address: Name or service not known
Problems using MySQL with AWS Lambda in Python
How to export an existing dynamo table schema to json?
Support for two-way TLS/HTTPS with ELB
How to set up custom domain for an app on Amazon EC2?
How to Create a Client in Keycloak to use with AWS Cognito Identity Federation
Trouble getting https to work with self signed certificate on aws elastic load balancer
Finding certain messages in SQS
Make Flask's url_for use the 'https' scheme in an AWS load balancer without messing with SSLify
How to install godaddy ssl certificate on aws elb?
Does the ListObjects command guarantee the results are sorted by key?
How do I pass arguments to AWS Lambda functions using GET requests?
Amazon S3 listing "directories"
How to run aws configure on Amazon AWS EC2 automatically without interaction without prompt?
Filter by timestamp query on AWS Cloudwatch Logs Insights
Is there a DynamoDB max partition size of 10GB for a single partition key value?
What exactly is a "virtual core" on Amazon EC2?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!